Pin dependencies, update permissions in workflows, and add license sc…

…anning

Signed-off-by: John Kjell <[email protected]>

.github/workflows/db-migrations.yml

@@ -36,11 +36,11 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: '1.19.x'
+          go-version: '1.21.x'
 
       - name: Check DB Migrations
         run: |
-          curl -sSf https://atlasgo.sh | sh
+          go get ariga.io/atlas/cmd/[email protected]
           before=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }')
           make db-migrations
           after=$(find ent/migrate/migrations/ -type f | wc -l | awk '{ print $1 }')

.github/workflows/fossa.yml

@@ -0,0 +1,28 @@
+name: "Fossa Scan"
+
+on:
+    push:
+      branches: ["main"]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: ["main"]
+    schedule:
+      - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+    fossa-scan:
+      env:
+        FOSSA_API_KEY: ${{ secrets.fossaApiKey }}
+      runs-on: ubuntu-latest
+      steps:
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Checkout Code"
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Run FOSSA Scan"
+          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          with:
+            api-key: ${{ env.FOSSA_API_KEY }}

.github/workflows/pipeline.yml

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 permissions:
-    id-token: write # This is required for requesting the JWT
     contents: read  # This is required for actions/checkout
 name: pipeline
 on:
@@ -26,6 +25,9 @@ on:
 jobs:
     fmt:
         uses: ./.github/workflows/witness.yml
+        permissions:
+          id-token: write # This is required for requesting the JWT
+          contents: read  # This is required for actions/checkout
         with:
           pull_request: ${{ github.event_name == 'pull_request' }}
           step: static-analysis
@@ -34,6 +36,9 @@ jobs:
 
     static_analysis:
         uses: ./.github/workflows/witness.yml
+        permissions:
+          id-token: write # This is required for requesting the JWT
+          contents: read  # This is required for actions/checkout
         with:
           pull_request: ${{ github.event_name == 'pull_request' }}
           step: static-analysis
@@ -43,6 +48,9 @@ jobs:
     tests:
         needs: [fmt, static_analysis]
         uses: ./.github/workflows/witness.yml
+        permissions:
+          id-token: write # This is required for requesting the JWT
+          contents: read  # This is required for actions/checkout
         with:
             pull_request: ${{ github.event_name == 'pull_request' }}
             step: "tests"
@@ -79,7 +87,7 @@ jobs:
                 password: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Download GoReleaser
-              run: go install github.com/goreleaser/goreleaser@latest
+              run: go install github.com/goreleaser/goreleaser@v1.23.0
 
             - name: Run GoReleaser
               uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934

.github/workflows/update-pre-commit-hooks.yml

@@ -22,6 +22,8 @@ on:
   schedule:
     # Run at 8:00 AM every day
     - cron: "0 8 * * *"
+permissions:
+  contents: read
 jobs:
   update-pre-commit-hooks:
     runs-on: ubuntu-latest
@@ -32,7 +34,7 @@ jobs:
           python-version: "3.11"
       - name: Install prerequisites
         run: |
-          pip install pre-commit
+          pip install pre-commit==3.6.0
       - name: Update pre-commit hooks
         run: |
           pre-commit autoupdate

.github/workflows/verify-licence.yml

@@ -36,7 +36,7 @@ jobs:
           with:
             go-version: '1.19.x'
         - name: Install addlicense
-          run: go install github.com/google/addlicense@latest
+          run: go install github.com/google/addlicense@v1.1.1
         - name: Check license headers
           run: |
             set -e

.github/workflows/witness.yml

@@ -28,9 +28,15 @@ on:
                 required: true
                 type: string
 
+permissions:
+  contents: read
+
 jobs:
     witness:
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          id-token: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1

Dockerfile

@@ -15,13 +15,13 @@
 FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build
 WORKDIR /src
 RUN apk update && apk add --no-cache file git curl
-RUN curl -sSf https://atlasgo.sh | sh
+RUN go get ariga.io/atlas/cmd/[email protected]
 ENV GOMODCACHE /root/.cache/gocache
 RUN --mount=target=. --mount=target=/root/.cache,type=cache \
     CGO_ENABLED=0 go build -o /out/archivista -ldflags '-s -d -w' ./cmd/archivista; \
     file /out/archivista | grep "statically linked"
 
-FROM alpine
+FROM alpine:3.19.0@sha256:13b7e62e8df80264dbb747995705a986aa530415763a6c58f84a3ca8af9a5bcd
 COPY --from=build /out/archivista /bin/archivista
 COPY --from=build /usr/local/bin/atlas /bin/atlas
 ADD entrypoint.sh /bin/entrypoint.sh

Dockerfile-dev

@@ -15,7 +15,7 @@
 FROM golang:1.21.5-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS build
 WORKDIR /src
 RUN apk update && apk add --no-cache file git curl
-RUN curl -sSf https://atlasgo.sh | sh
+RUN go get ariga.io/atlas/cmd/[email protected]
 ENV GOMODCACHE /root/.cache/gocache
-RUN go install github.com/githubnemo/CompileDaemon@latest
+RUN go install github.com/githubnemo/CompileDaemon@v1.4.0
 ENTRYPOINT ["sh", "entrypoint-dev.sh"]